CVE-2025-5335 is a high-severity vulnerability identified in the Autodesk Installer version 2.13, classified under CWE-426 (Untrusted Search Path). This vulnerability arises from the installer application using an untrusted search path to locate and execute binaries during its operation. Specifically, if a maliciously crafted binary file is downloaded and placed in a location that the installer searches before the legitimate system binaries, an attacker can trick the installer into executing this malicious binary. This leads to escalation of privileges to NT AUTHORITY/SYSTEM, the highest privilege level on Windows systems, enabling full control over the affected machine. The vulnerability requires local access (CVSS vector AV:L), low attack complexity (AC:L), no privileges required (PR:N), but does require user interaction (UI:R), such as running the installer or opening a malicious file. The impact on confidentiality, integrity, and availability is high, as the attacker can execute arbitrary code with SYSTEM privileges, potentially leading to complete system compromise. No known exploits in the wild have been reported yet, and no patches have been published at the time of disclosure. The vulnerability is critical for environments where Autodesk Installer 2.13 is used, especially in scenarios where users might download installers or updates from untrusted sources or where local users might be untrusted or compromised. The untrusted search path issue typically involves the application searching for DLLs or executables in directories that can be influenced by an attacker, such as the current working directory or user-writable folders, rather than using fully qualified paths or secure loading mechanisms.

For European organizations, the impact of CVE-2025-5335 can be significant, particularly in industries relying heavily on Autodesk products, such as architecture, engineering, construction, manufacturing, and media. Successful exploitation could allow attackers to gain SYSTEM-level privileges on workstations or servers running the vulnerable installer, leading to unauthorized access to sensitive design files, intellectual property theft, sabotage of project data, or lateral movement within corporate networks. This could disrupt critical business operations and lead to regulatory compliance issues under GDPR if personal or sensitive data is exposed or manipulated. Given the high privileges gained, attackers could deploy ransomware, exfiltrate data, or establish persistent footholds. The requirement for user interaction and local access somewhat limits remote exploitation but does not eliminate risk, especially in environments with shared workstations or where phishing campaigns could trick users into running malicious installers. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future active exploitation, especially as threat actors often weaponize such vulnerabilities rapidly after disclosure.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately audit and inventory all Autodesk Installer versions in use, focusing on version 2.13. 2) Restrict local user permissions to prevent unauthorized users from placing or executing files in directories that the installer searches. 3) Educate users to avoid running installers or updates from untrusted sources and verify digital signatures where possible. 4) Implement application whitelisting and code integrity policies (e.g., Windows Defender Application Control or AppLocker) to prevent execution of unauthorized binaries. 5) Monitor and restrict write permissions on directories commonly used in the search path to prevent insertion of malicious binaries. 6) Employ endpoint detection and response (EDR) solutions to detect suspicious process executions and privilege escalations. 7) Coordinate with Autodesk for timely patch releases and apply updates as soon as they become available. 8) Consider isolating systems that require Autodesk Installer usage to limit potential lateral movement. These steps go beyond generic advice by focusing on controlling the search path environment and user behavior specific to this vulnerability.